Project

General

Profile

Actions

Feature #1904

closed

mod_secdownload option to include url GET parameters in md5

Added by mimbert about 15 years ago. Updated about 7 years ago.

Status:
Fixed
Priority:
Low
Category:
mod_secdownload
Target version:
ASK QUESTIONS IN Forums:

Description

I am using lighttpd secure_download to restrict access to multimedia files (images and videos) to registered members to a website. However I needed to include the get parameters in the md5 hash to protect mod_flv_streaming type of URLs (http://someserver.com/some_video.flv?start=1234).

I wrote some code to support this. The string to be hashed is:
<secret><rel-path><timestamp-hex><parameters-string>

where parameters-string is for exemple "start=1234", or "start=1234&id=4321"

The following option can be used in lighttpd config file to activate this behaviour (which is disabled by default):

secdownload.md5-params = "enable"

An exemple of a generated URL:

http://206.125.164.199/dl/884101a561c305c29571d32461257528/499ad324/V12491_full_vp6_1000.flv?start=0&end=30

If a user try to alter the parameters (ie: start=0&end=120) or to remove them, mod_secdownload will return a 403 error.

I included a diff file to that issue report and I would greatly appreciate I you could consider using this patch in a future release.

Thanks!
Mathieu


Files

securedownload.diff (2.49 KB) securedownload.diff Include URL parameters in URL mimbert, 2009-02-17 15:20

Related issues 1 (0 open1 closed)

Related to Feature #646: secdownload.path_elements supportFixedActions
Actions #2

Updated by wolpert almost 12 years ago

Is there any progress with this patch? Is this known to work? I have the same needs now...

Actions #3

Updated by mimbert almost 12 years ago

Wolpert, I've been using this patch for 3 years now. So if they don't include it in a release, I suggest you use my diff and compile your own version...

Actions #4

Updated by stbuehler almost 12 years ago

  • Target version set to 1.4.x
  • Missing in 1.5.x set to No

1.4.x is sort of "stable", so feature requests are not a priority. And if the target version isn't set i don't see them in the roadmap, so they get lost pretty fast :)

The patch itself looks fine apart from one detail: imho the "?" should be part of the md5 too (con->uri.query starts after the "?").

Actions #5

Updated by mimbert almost 12 years ago

Good point. I considered the '?' as a simple separator and did not include it in the signature, so in my opinion the param should only be key1=val1&key2=val2... Furthermore the signing is done in PHP and the $_SERVER['QUERY_STRING'] doesn't include the '?'.

Actions #6

Updated by wolpert almost 12 years ago

I could use either method for the md5 myself. I'd rather keep query params attached to the md5 the way you would a path_info param... but I have no legacy code to work with here. (FWIW, My client usage will be in Java)

Actions #7

Updated by gstrauss about 7 years ago

  • Subject changed from mod_secure_download option to include url GET parameters in md5 to mod_secdownload option to include url GET parameters in md5
  • Status changed from New to Need Feedback
  • Priority changed from Normal to Low

Is this feature request still desirable?

In the intervening year, additional algorithms have been added to mod_secdownload which are more tamper resistant than MD5: HMAC-SHA1 and HMAC-SHA256

Even if using MD5, arbitrary validation could be accomplished using a FastCGI authorizer in lieu of mod_secdownload, allowing the creation of the keys to be collocated with the code which validates the keys, instead of trying to extend mod_secdownload in a variety of ways.

Actions #8

Updated by gstrauss about 7 years ago

  • Related to Feature #646: secdownload.path_elements support added
Actions #9

Updated by gstrauss about 7 years ago

  • Status changed from Need Feedback to Patch Pending
  • Target version changed from 1.4.x to 1.4.45
Actions #10

Updated by gstrauss about 7 years ago

  • Target version changed from 1.4.45 to 1.4.46
Actions #11

Updated by gstrauss about 7 years ago

  • Status changed from Patch Pending to Fixed
  • % Done changed from 0 to 100
Actions

Also available in: Atom